Professional Web Applications Themes

Forms Authentication Question - ASP.NET Security

Everything is working in my authentication process except for the fact that I can't retrieve the "UserData" property from the "FormsAuthenticationTicket". Write before I do a "RedirectFromLoginPage", I check the "UserData" property of the "FormsAuthenticationTicket". It's set to the value "Admin" (a role for the user) which is what I want. Here is the code: strUserName = CType(drOLEDBNicemScheduling.GetValue(1) & Chr(32) & drOLEDBNicemScheduling.GetValue(2), String) 'Set the authentication ticket Dim arrRoles(0) As String arrRoles(0) = drOLEDBNicemScheduling.GetValue(3) Dim ticket As New FormsAuthenticationTicket(1, strUserName, Now, DateAdd (DateInterval.Minute, 60, Now), ValidateLogin.PersistantCookie, arrRoles(0)) Dim cookie = New HttpCookie (FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket)) If ValidateLogin.PersistantCookie Then Response.Cookies.Add(cookie) End If ...

  1. #1

    Default forms authentication question

    Everything is working in my authentication process except
    for the fact that I can't retrieve the "UserData" property
    from the "FormsAuthenticationTicket".

    Write before I do a "RedirectFromLoginPage", I check
    the "UserData" property of
    the "FormsAuthenticationTicket". It's set to the
    value "Admin" (a role for the user) which is what I want.

    Here is the code:

    strUserName = CType(drOLEDBNicemScheduling.GetValue(1) &
    Chr(32) & drOLEDBNicemScheduling.GetValue(2), String)
    'Set the authentication ticket
    Dim arrRoles(0) As String
    arrRoles(0) =
    drOLEDBNicemScheduling.GetValue(3)
    Dim ticket As New
    FormsAuthenticationTicket(1, strUserName, Now, DateAdd
    (DateInterval.Minute, 60, Now),
    ValidateLogin.PersistantCookie, arrRoles(0))
    Dim cookie = New HttpCookie
    (FormsAuthentication.FormsCookieName,
    FormsAuthentication.Encrypt(ticket))
    If ValidateLogin.PersistantCookie Then
    Response.Cookies.Add(cookie)
    End If
    'Create Identity
    Dim objIdentity As New
    Security.Principal.GenericIdentity(strUserName)
    Dim objPrincipal As New
    Security.Principal.GenericPrincipal(objIdentity, arrRoles)

    FormsAuthentication.RedirectFromLoginPage(strUserN ame,
    ValidateLogin.PersistantCookie)

    However, once I get in the Global.asax file in
    the "Application_AuthenticateRequest" event (fired by the
    FormsAuthentication.RedirectFromLoginPage method), I check
    the "UserData" property of the ticket and it's an empty
    string! All the other properties pertaining to the ticket
    are there. I'm setting up the cookie, so the "Userdata"
    property should be populated.

    Here is the code in the global.asax file:

    Sub Application_AuthenticateRequest(ByVal sender As
    Object, ByVal e As EventArgs)

    If (Not (HttpContext.Current.User Is Nothing)) Then
    If
    HttpContext.Current.User.Identity.AuthenticationTy pe
    = "Forms" Then
    If
    HttpContext.Current.User.Identity.IsAuthenticated Then
    Dim id As FormsIdentity =
    HttpContext.Current.User.Identity
    Dim ticket As
    FormsAuthenticationTicket = id.Ticket
    Dim roles(0) As String
    roles(0) = ticket.UserData
    HttpContext.Current.User = New
    System.Security.Principal.GenericPrincipal(id, roles)
    End If
    End If
    End If

    End Sub

    What am I doing wrong??? I need to be able to identify the
    role of the user (they will only have 1 role).

    Thanks,

    Bill........
    bill yeager Guest

  2. #2

    Default Forms Authentication Question

    I would like to secure an ASP.NET application with Forms
    Authentication. Within the web.config file of the
    application, I have the following:

    <authentication mode="Forms">
    <forms
    loginUrl="http://localhost/authenticate/login.aspx"
    path="/" />
    </authentication>

    <authorization>
    <deny users="?" />
    </authorization>

    The IIS Security is set to Anonymous Access. When I
    attempt to access a page in my web application, I am
    redirected to the login page specified in the URL above.
    When I enter the username and password, and click login,
    I am redirected again to the same login page. I cannot
    get past the login page. What am I doing wrong?
    Greg Guest

  3. #3

    Default Re: Forms Authentication Question

    Greg Wrote:
    > The IIS Security is set to Anonymous Access. When I
    > attempt to access a page in my web application, I am
    > redirected to the login page specified in the URL above.
    > When I enter the username and password, and click login,
    > I am redirected again to the same login page. I cannot
    > get past the login page. What am I doing wrong?
    Hey

    The;
    <forms
    loginUrl="x"...

    Redirect you to a page where u want unauthorized users to go.
    If validation mismatch you will get that pages. That is properly why.

    You have to add som credential -Tags to your Web.Config, or make validation
    correct in your database.

    ------------
    [email]Matrixrevolutionwebspeed.dk[/email]
    2003-04 /MR


    news.tele.dk Guest

  4. #4

    Default Re: Forms Authentication Question

    You need to set the security cookie using either
    FormsAuthentication.RedirectFromLoginPage or SetAuthCookie.

    Hope this helps.

    Tommy

    "Greg" <ggb_business> wrote in message
    news:1450901c3c339$4b6861b0$a601280aphx.gbl...
    > I would like to secure an ASP.NET application with Forms
    > Authentication. Within the web.config file of the
    > application, I have the following:
    >
    > <authentication mode="Forms">
    > <forms
    > loginUrl="http://localhost/authenticate/login.aspx"
    > path="/" />
    > </authentication>
    >
    > <authorization>
    > <deny users="?" />
    > </authorization>
    >
    > The IIS Security is set to Anonymous Access. When I
    > attempt to access a page in my web application, I am
    > redirected to the login page specified in the URL above.
    > When I enter the username and password, and click login,
    > I am redirected again to the same login page. I cannot
    > get past the login page. What am I doing wrong?

    Tommy Martin Guest

  5. #5

    Default Re: Forms Authentication Question

    Thanks for the reply. I use the
    FormsAuthentication.RedirectFromLoginPage method after I
    have validated the user's username and password against
    our Active Directory.
    >-----Original Message-----
    >You need to set the security cookie using either
    >FormsAuthentication.RedirectFromLoginPage or
    SetAuthCookie.
    >
    >Hope this helps.
    >
    >Tommy
    >
    >"Greg" <ggb_business> wrote in message
    >news:1450901c3c339$4b6861b0$a601280aphx.gbl...
    >> I would like to secure an ASP.NET application with
    Forms
    >> Authentication. Within the web.config file of the
    >> application, I have the following:
    >>
    >> <authentication mode="Forms">
    >> <forms
    >> loginUrl="http://localhost/authenticate/login.aspx"
    >> path="/" />
    >> </authentication>
    >>
    >> <authorization>
    >> <deny users="?" />
    >> </authorization>
    >>
    >> The IIS Security is set to Anonymous Access. When I
    >> attempt to access a page in my web application, I am
    >> redirected to the login page specified in the URL
    above.
    >> When I enter the username and password, and click
    login,
    >> I am redirected again to the same login page. I cannot
    >> get past the login page. What am I doing wrong?
    >
    >
    >.
    >
    Greg Guest

  6. #6

    Default Re: Forms Authentication Question

    I am having the same problem...

    I use Forms authentication and everything works fine on my local comp
    (win XP) and DID work on the host's server (win 2k)... but I just got
    moved to a win 2k3 server and now I get redirected even after being
    authenticated (I have the login page show whether or not a user is
    authenticated)

    *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
    Don't just participate in USENET...get rewarded for it!
    Robert Anon Guest

  7. #7

    Default Re: Forms Authentication Question

    Any ideas???

    This is really frustrating as it shows that I am logged in as "user"
    with the Authentication Method being FORMS ... Nevertheless, I still
    can't access the protected directory

    *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
    Don't just participate in USENET...get rewarded for it!
    Robert Anon Guest

  8. #8

    Default Re: Forms Authentication Question

    I believe the problem is that your login page is in a folder that is not
    accessible by anonymous users. Put the login.aspx page in a public
    <authorization ... allow user="*"> folder and protected pages in a separate
    folder (that doesn't allow anonymous users. ) Give it shot. It works
    here!!! Also, keep in mind that web.config settings flow down the directory
    structure until another web.config is found that overrides its settings.

    HTH.

    "Greg" <ggb_business> wrote in message
    news:1450901c3c339$4b6861b0$a601280aphx.gbl...
    > I would like to secure an ASP.NET application with Forms
    > Authentication. Within the web.config file of the
    > application, I have the following:
    >
    > <authentication mode="Forms">
    > <forms
    > loginUrl="http://localhost/authenticate/login.aspx"
    > path="/" />
    > </authentication>
    >
    > <authorization>
    > <deny users="?" />
    > </authorization>
    >
    > The IIS Security is set to Anonymous Access. When I
    > attempt to access a page in my web application, I am
    > redirected to the login page specified in the URL above.
    > When I enter the username and password, and click login,
    > I am redirected again to the same login page. I cannot
    > get past the login page. What am I doing wrong?

    Z Guest

  9. #9

    Default forms authentication question

    Hi,

    i use Forms authentication in my vb.net asp web application
    on the login page i set the authentication cookie, and i can see the cookie
    is there.
    on the Global_AuthenticateRequest
    i get the IsNothing(HttpContext.Current.User) = true
    why the framework don't recognise my cookie?

    the code to put the cookie is:

    FormsAuthentication.Initialize()

    Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket( _

    1, userId, _

    DateTime.Now, DateTime.Now.AddMinutes(Session.Timeout), _

    False, roles)

    Dim hash As String = FormsAuthentication.Encrypt(ticket)

    Dim cookie As HttpCookie = New
    HttpCookie(FormsAuthentication.FormsCookieName, hash)

    ' Add the cookie to the list for outgoing response

    Page.Response.Cookies.Add(cookie)





    z. f. Guest

  10. #10

    Default Re: forms authentication question

    You may use a "safer" approach for building Forms cookies from this sample :
    [url]http://weblogs.asp.net/hernandl/archive/2004/08/05/FormsAuthRoles2.aspx[/url]

    Notice the first line:

    // Get the cookie created by the FormsAuthentication API
    // Notice that this cookie will have all the attributes according to
    // the ones in the config file setting.
    HttpCookie cookie = FormsAuthentication.GetAuthCookie( userId, false );

    And the cookie updating code:

    // Update the outgoing cookies collection.
    Context.Response.Cookies.Set(cookie);

    --
    Hernan de Lahitte
    [url]http://weblogs.asp.net/hernandl[/url]

    "z. f." <zigiinfo-scopeREMSPAM.co.il> escribi? en el mensaje
    news:ehuCXWS1EHA.132tk2msftngp13.phx.gbl...
    Hi,

    i use Forms authentication in my vb.net asp web application
    on the login page i set the authentication cookie, and i can see the cookie
    is there.
    on the Global_AuthenticateRequest
    i get the IsNothing(HttpContext.Current.User) = true
    why the framework don't recognise my cookie?

    the code to put the cookie is:

    FormsAuthentication.Initialize()

    Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket( _

    1, userId, _

    DateTime.Now, DateTime.Now.AddMinutes(Session.Timeout), _

    False, roles)

    Dim hash As String = FormsAuthentication.Encrypt(ticket)

    Dim cookie As HttpCookie = New
    HttpCookie(FormsAuthentication.FormsCookieName, hash)

    ' Add the cookie to the list for outgoing response

    Page.Response.Cookies.Add(cookie)


    Hernan de Lahitte Guest

  11. #11

    Default Re: forms authentication question

    is there something wrong with my code?
    the same code in a c# web application works correctly, what could i missed here?
    i can see that the browser sends the cookie.
    i can also see that the login page redirects me after a successfull login to the requested page.
    just that my requested page don't get to execute because the framework redirects me back to login page, because it does not recognise the current user.
    IsNothing(HttpContext.Current.User) = true
    in global_authenticateRequest.
    the current.user should get it's instance by the framework using the auth cookie, automatically, is this correct?


    "Hernan de Lahitte" <hernanlagash.com> wrote in message news:egwYtVi1EHA.3540TK2MSFTNGP10.phx.gbl...
    You may use a "safer" approach for building Forms cookies from this sample :
    [url]http://weblogs.asp.net/hernandl/archive/2004/08/05/FormsAuthRoles2.aspx[/url]

    Notice the first line:

    // Get the cookie created by the FormsAuthentication API
    // Notice that this cookie will have all the attributes according to
    // the ones in the config file setting.
    HttpCookie cookie = FormsAuthentication.GetAuthCookie( userId, false );

    And the cookie updating code:

    // Update the outgoing cookies collection.
    Context.Response.Cookies.Set(cookie);

    --
    Hernan de Lahitte
    [url]http://weblogs.asp.net/hernandl[/url]

    "z. f." <zigiinfo-scopeREMSPAM.co.il> escribi? en el mensaje
    news:ehuCXWS1EHA.132tk2msftngp13.phx.gbl...
    Hi,

    i use Forms authentication in my vb.net asp web application
    on the login page i set the authentication cookie, and i can see the cookie
    is there.
    on the Global_AuthenticateRequest
    i get the IsNothing(HttpContext.Current.User) = true
    why the framework don't recognise my cookie?

    the code to put the cookie is:

    FormsAuthentication.Initialize()

    Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket( _

    1, userId, _

    DateTime.Now, DateTime.Now.AddMinutes(Session.Timeout), _

    False, roles)

    Dim hash As String = FormsAuthentication.Encrypt(ticket)

    Dim cookie As HttpCookie = New
    HttpCookie(FormsAuthentication.FormsCookieName, hash)

    ' Add the cookie to the list for outgoing response

    Page.Response.Cookies.Add(cookie)


    z. f. Guest

  12. #12

    Default Forms Authentication Question



    I would like to use Forms Authentication on my website but only certain
    pages need to be authenticated. In other word, users can browse many
    pages on the site without having to log in but when the access certain
    pages, they have to be authenticated. Can I use Forms Authentication in
    this scenario or is Forms Authentication for the entire site?

    Thanks

    Rob

    *** Sent via Developersdex http://www.developersdex.com ***
    Rob Guest

  13. #13

    Default Re: Forms Authentication Question

    Hello Rob,

    add a location element for the pages that should be authenticated

    like

    <location path="page.aspx">
    <system.web>
    < authorization>
    <allow roles="Role" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    or put all page that need auth together in one directory and specifiy the
    directory name in the location element.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com
     


    Dominick Guest

  14. #14

    Default Re: Forms Authentication Question

    Thanks Dominick,

    I have a lot of files so I think putting them in a separate folder is
    the way to go.

    Rob

    *** Sent via Developersdex http://www.developersdex.com ***
    Rob Guest

  15. #15

    Default forms authentication question

    I want to use forms authentication, but since the forms authentication
    cookie is not updated all the time, I want to use server-side to check for
    validation user's login status/information. If I create an unique session
    key and store it in the forms authentication cookie as custom data, can I
    check on every Application_BeginRequest() if the cookie is expired, and if
    the cookie is expired but the session key is valid (validated against the
    database), call FormsAuthentication.RenewTicketIfOld and re-set the forms
    authentication cookie?

    It looks like this would be a good check for making sure that if someone
    steals the forms authentication cookie and somehow decrypts it, they still
    wouldn't be able to login because of a server-side check? Or maybe this is
    not necessary, creates overhead, and not secure at all? I just want some
    opinions.

    Thanks in advance,
    Eric


    Eric Guest

  16. #16

    Default Re: forms authentication question

    Hi,

    i don't really see what you are trying to do -

    the forms auth auth ticket has a timeout - and 2 renewal modes: sliding and
    non sliding

    in non sliding the timeout is absolute - and users have to reauth after this
    timeout
    in sliding the ticket gets renewed for the time specified in timeout after
    timeout/2

    as long as you don't persist cookies and use SSL - i don't see a problem
    here..?

    However, if you store additional data in the cookie - like roles - you should
    have a manual expiration mechanism to update roles after a certain amount
    of time. This also gives you the chance to check if the user is still valid/roles
    have changed.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com
     


    Dominick Guest

  17. #17

    Default Re: forms authentication question


    Thank you for a reply. Yes, the forms authentication cookie has a sliding
    timeout or absolute timeout, but my problem is that the sliding expiration
    does not get updated all the time. So, if I set the sliding expiration to 20
    minutes, the cookie will be updated after 10 minutes, and if the user did
    something in the first 10 minutes, but then didn't do anything for the next
    15 minutes, forms authentication cookie will be timed-out. That's what I'm
    trying to avoid. Storing custom session key in the cookie gives me an ability
    to renew the cookie as long as the session key has not expired. I will also
    be using in-memory cookie and SSL, so that it will be difficult to steal
    forms authentication cookie, but if it's stolen, there would be another level
    of server-side checks that would have to be passed.

    "Dominick Baier [DevelopMentor]" wrote:
     
    >
    >
    >[/ref]
    Eric Guest

  18. #18

    Default Re: forms authentication question

    Hi,

    so does your session key also have an expiration time? why don't you just
    set a longer timeout on the forms ticket?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com
     [/ref][/ref]


    Dominick Guest

  19. #19

    Default Re: forms authentication question


    I have 20 minute timeout on the session key. Every time a request is made to
    the database, the expiration time is updated. I can increase the timeout on
    the forms authentication cookie, but I really would like to keep both the
    session key and the forms authentication cookie close to each other if
    possible. If I set the forms authentication cookie timeout to 40 minutes and
    I have a page where the code is not hitting the database, then the user will
    be valid for 40 minutes, instead of 20. But if I set the forms authentication
    timeout to 20 and then validate the session key (stored in the forms cookie
    as user's data) against the database, then the timeouts will be in sync. I
    just don't know what solution is better: increase forms timeout or keep the
    same timeout for both session key and forms cookie validate/extend the
    session key on every request.

    "Dominick Baier [DevelopMentor]" wrote:
     [/ref]
    >
    >
    >[/ref]
    Eric Guest

  20. #20

    Default Re: forms authentication question

    Hi,

    ok - you made two points

    a) avoiding expiration

    why don't you just call RenewTicketIfOld on every request?

    b) stealing the cookie

    if the cookie is expired - it is expired. If someone can steal the cookie
    (including your session key) - he can keep the ticket alive by regurlarly
    posting back to the web site. I don't see a security gain here.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com
     [/ref][/ref]


    Dominick Guest

Page 1 of 2 12 LastLast

Similar Threads

  1. Forms Authentication via SSL question
    By Gareth in forum ASP.NET Security
    Replies: 1
    Last Post: May 16th, 07:38 AM
  2. Authentication ticket, cookieless, forms authentication?
    By Lauchlan M in forum ASP.NET Security
    Replies: 0
    Last Post: October 1st, 12:23 AM
  3. asp.net FORMS authentication question
    By kevin in forum ASP.NET General
    Replies: 3
    Last Post: August 1st, 05:13 PM
  4. Basic Forms Authentication question
    By R-D-C in forum ASP.NET Security
    Replies: 1
    Last Post: July 29th, 02:47 PM
  5. Web Services and Forms Authentication Question
    By Chapman in forum ASP.NET Web Services
    Replies: 1
    Last Post: July 26th, 12:19 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139